The sendmail overflow bug -- full analysis
John McCormick
Published: 17 Mar 2003 11:11 GMT
Mitigating factors
As I mentioned above, there is an ongoing debate about whether this Sendmail vulnerability is a widespread threat or, because of various mitigating factors, it can be exploited on only a few systems. The Last Stage of Delirium says that its preliminary test of this exploit showed it wasn't as dangerous as first thought:
"Due to the nature of the discussed Sendmail vulnerability it seems that it is unexploitable on most of commercially available Unix systems. It also doesn't seem to be exploitable on most of the default SMTP installations of x86 based open source systems. This leads to the conclusion that the overall impact of the vulnerability is rather limited and not so significant as it might be thought."
However, the group's analysis covered only one possible exploit mechanism on Unix and Linux (Slackwave and Red Hat) servers.
In a BugTraq message, Sendmail's Eric Allman responded to the Last Stage of Delirium's downplaying of this vulnerability by saying, "Besides direct execution path exploits, there are other variables that are not pointers that have security implications; finding one of them within range will be more difficult, but probably not impossible ... Everyone should patch as soon as possible, regardless of platform."
Fix--patch or update to Sendmail version 8.12.8.
Sendmail.org has produced patches for versions 8.9, 8.10, 8.11, and 8.12, but the vulnerability is also found in earlier versions. For those who are using earlier versions of the software, Sendmail.org recommends open source users of versions prior to 8.9 take the opportunity to update to the latest version. Sendmail Inc. is also making a binary patch available for commercial customers.
ISS has developed a "virtual" patch for the Sendmail vulnerability using the security company's Dynamic Threat Protection platform. Updates are available from the ISS Download center.
Final word
ISS reports that it notified Sendmail on Jan. 13, 2003, and received confirmation from the vendor on the same day. ISS worked with the vendor and reports good cooperation. It did not make a public announcement of the threat until March 3, 2003.
Still, I have to wonder why the Last Stage of Delirium hackers felt it was necessary to publish a detailed proof of concept for this Sendmail bug, which no one was denying existed. The first group to discover a vulnerability (ISS, in this instance) may have a good reason to publish proof of concept showing how to engineer an attack, especially if vendors are ignoring them. However, what legitimate purpose is served by doing so after everyone admits there is a problem and moves to fix it?
The usefulness of this posting would be more obvious if the Last Stage of Delirium had completely explored the vulnerability and was demonstrating that it really wasn't very dangerous. But its BugTraq report began, "We did not perform full analysis of this issue," and ended, "However, we cannot exclude that there does not exist another execution path in the Sendmail code that could lead to the program counter overwrite." On the other hand, according to the report, the exploit doesn't really work very well. In that light, I guess there was little harm in publishing the exploit unless someone uses it to explore other ways to take advantage of the flaw.
For a weekly round-up of the enterprise IT news, sign up for the Enterpise newsletter.
Tell us what you think in the Enterprise Mailroom.
Previous
Did you find this article useful?
69 out of 124 people found this useful
Digg
Slashdot
Del.ici.ous
Stumble
Reddit
